XY DNG H THNG AN TON MNG DOANH NGHIP

PHN I: XY DNG PROXY V FIREWALL VI ISA SERVER ........................... 2 BI 1: TNG QUAN V AN TON MNG ........................................................... 2 1.1. 1.2. 1.3. 2.1. 2.2 3.1. 3.2 3.3. 3.4. 3.5. 3.6. 3.7. 3.8. 4.1. 4.2. 4.3. Khi nim bo mt ..................................................................................... 2 Cc hnh thc tn cng trn mng ............................................................... 2 Phng php chung ngn chn cc kiu tn cng ......................................... 4 Gii thiu ................................................................................................... 7 Ci t ISA 2004. ....................................................................................... 7 Gii thiu ................................................................................................. 14 Cho php cc my client truy cp y vo ISA Server ............................ 15 Cho php cc my ni b truy cp tt c dch v trn External. .................... 19 Cho php Local Host truy cp Internet. ...................................................... 21 Cho php ISA Server cp IP ng cho cc Client ......................................... 22 Cho php cc Client v Local host truy vn DNS .......................................... 23 Cho php cc client truy xut mail chuyn dng (SMTP, POP3 hoc IMAP) .... 25 Qun l v gim st truy cp Internet trong ISA 2004. ................................ 26 Gii thiu:................................................................................................ 36 Web Server Publishing. ............................................................................. 36 Mail Server Publishing. .............................................................................. 43

BI 5: TIT KIM BNG THNG INTERNET VI TNH NNG CACHE V CONTENT DOWNLOAD JOB ................................................................. 51 5.1. 5.2. Cache v hot ng ca Cache .................................................................. 51 Cu hnh Content Download Job ................................................................ 59

BI 6: CU HNH PROXY SERVER CHO ISA SERVER .................................. 62 6.1. 6.2. Cu hnh:................................................................................................. 62 S dng ISA Firewall Client t ng cu hnh Proxy ............................. 63

BI 7: SAO LU V PHC HI THNG TIN CU HNH ISA SERVER .............. 68 7.1. 7.2. Sao lu .................................................................................................... 68 Phc hi .................................................................................................. 69

PHN II: TRIN KHAI MULTI VPN ................................................................. 71

PHN I: XY DNG PROXY V FIREWALL VI ISA SERVER BI 1: TNG QUAN V AN TON MNG
Mc tiu:

Hiu bit tm quan trng ca bo mt mng trong doanh nghip Hiu bit ti sn doanh nghip v nhng thnh phn lin quan n bo mt Nm bt c cc phng thc tn cng trn mng v cch phng chng

1.1.

Khi nim bo mt

Trong bi cnh tin trnh hi nhp, vn an ninh mng v bo mt d liu ang tr nn rt c quan tm. Khi c s h tng v cc cng ngh mng p ng tt cc yu cu v bng thng, cht lng dch v, ng thi thc trng tn cng trn mng ang ngy mt gia tng th vn bo mt cng c ch trng hn. Khng ch cc nh cung cp dch v Internet, cc c quan chnh ph m cc doanh nghip, t chc cng c thc hn v an ton thng tin. Trin khai mt h thng thng tin v xy dng c c ch bo v cht ch, an ton, l gp phn duy tr tnh bn vng cho h thng thng tin ca doanh nghip . V tt c chng ta u hiu rng gi tr thng tin ca doanh nghip l ti sn v gi. Khng ch thun ty v vt cht, nhng gi tr khc khng th o m c nh uy tn ca h vi khch hng s ra sao, nu nhng thng tin giao dch vi khch hng b nh cp, ri sau b li dng vi nhng mc ch khc nhau..Hacker, attacker, virus, worm, phishing, nhng khi nim ny gi y khng cn xa l, v thc s l mi lo ngi hng u ca tt c cc h thng thng tin (PCs, Enterprise Networks, Internet, etc..). V chnh v vy, tt c nhng h thng ny cn trang b nhng cng c mnh, am hiu cch x l i ph vi nhng phng thc tn cng vo h thng mng ca chng ta. Ai to ra bc tng la mnh ny c th chng mi xm nhp vo h thng? trc ht l thc s dng my tnh an ton ca tt c mi nhn vin trong mt t chc, s am hiu tinh tng ca cc Security Admin trong t chc , v cui cng l nhng cng c c lc nht phc v cho cuc chin ny. Nhim v bo mt v bo v v vy m rt nng n v kh on nh trc. Nhng tu trung li gm ba hng chnh sau: 1.2. Bo m an ton cho pha server Bo m an ton cho pha client Bo mt thng tin trn ng truyn Cc hnh thc tn cng trn mng Tn cng trc tip

Nhng cuc tn cng trc tip thng thng c s dng trong giai on u chim c quyn truy nhp h thng mng bn trong.

in hnh cho tn cng trc tip l cc hacker s dng mt phng php tn cng c In l d tm cp tn ngi s dng v mt khu thng qua vic s dng mt s thng tin bit v ngi s dng d tm mt khu, y l mt phng php n gin d thc hin. Ngoi ra cc hacker cng c th s dng mt chng trnh t ng ho cho vic d tm ny. Chng trnh ny c th d dng ly c thng tin t Internet gii m cc mt khu m ho, chng c kh nng t hp cc t trong mt t in ln da theo nhng quy tc do ngi dng t nh ngha. Trong mt s trng hp, kh nng thnh cng ca phng php ny cng kh cao, n c th ln ti 30%. Nghe trm trn mng

Thng tin gi i trn mng thng c lun chuyn t my tnh ny qua hng lot cc my tnh khc mi n c ch. iu , khin cho thng tin ca ta c th b k khc nghe trm. Ti t hn th, nhng k nghe trm ny cn thay th thng tin ca chng ta bng thng tin do h t to ra v tip tc gi n i. Vic nghe trm thng c tin hnh sau khi cc hacker chim c quyn truy nhp h thng hoc kim sot ng truyn. May mn thay, chng ta vn cn c mt s cch bo v c ngun thng tin c nhn ca mnh trn mng bng cch m ho ngun thng tin trc khi gi i qua mng Internet. Bng cch ny, nu nh c ai n c thng tin ca mnh th cng ch l nhng thng tin v ngha. Gi mo a ch

Gi mo a ch c th c thc hin thng qua s dng kh nng dn ng trc tip. Vi cch tn cng ny k tn cng gi cc gi tin ti mng khc vi mt a ch gi mo, ng thi ch r ng dn m cc gi tin phi i. Th d ngi no c th gi mo a ch ca bn gi i nhng thng tin c th lm nh hng xu ti bn. V hiu ho cc chc nng ca h thng

y l kiu tn cng lm t lit h thng, lm mt kh nng cung cp dch v (Denial of Service - DoS) khng cho h thng thc hin c cc chc nng m n c thit k. Kiu tn cng ny rt kh ngn chn bi chnh nhng phng tin dng t chc tn cng li chnh l nhng phng tin dng lm vic v truy cp thng tin trn mng. Mt th d v trng hp c th xy ra l mt ngi trn mng s dng chng trnh y ra nhng gi tin yu cu v mt trm no . Khi nhn c gi tin, trm lun lun phi x l v tip tc thu cc gi tin n sau cho n khi b m y, dn ti tnh trng nhng nhu cu cung cp dch v ca cc my khc n trm khng c phc v. iu ng s l cc kiu tn cng DoS ch cn s dng nhng ti nguyn gii hn m vn c th lm ngng tr dch v ca cc site ln v phc tp. Do vy loi hnh tn cng ny cn c gi l kiu tn cng khng cn xng (asymmetric attack). Chng hn nh k tn cng ch cn mt my tnh PC thng thng vi mt modem tc chm vn c th tn cng lm ngng tr cc my tnh mnh hay nhng mng c cu hnh phc tp. iu ny c th hin r qua cc t tn cng vo cc Website ca M u thng 2/2000 va qua. Tn cng vo cc yu t con ngi

y l mt hnh thc tn cng nguy him nht n c th dn ti nhng tn tht ht sc kh lng. K tn cng c th lin lc vi ngi qun tr h thng thay i mt s thng tin nhm to iu kin cho cc phng thc tn cng khc. Ngoi ra, im mu cht ca vn an ton, an ninh trn mng chnh l ngi s dng. H l im yu nht trong ton b h thng do k nng, trnh s dng my tnh, bo mt d liu khng cao. Chnh h to iu kin cho nhng k ph hoi xm nhp c vo h thng

thng qua nhiu hnh thc khc nhau nh qua email hoc s dng nhng chng trnh khng r ngun gc, thiu an ton. Vi kiu tn cng nh vy s khng c bt c mt thit b no c th ngn chn mt cch hu hiu ch c phng php duy nht l hng dn ngi s dng mng v nhng yu cu bo mt nng cao cnh gic. Ni chung yu t con ngi l mt Im yu trong bt k mt h thng bo v no v ch c s hng dn ca ngi qun tr mng cng vi tinh thn hp tc t pha ngi s dng mi c th nng cao an ton ca h thng bo v. Mt s kiu tn cng khc

Ngoi cc hnh thc tn cng k trn, cc hacker cn s dng mt s kiu tn cng khc nh to ra cc virus t nm tim n trn cc file khi ngi s dng do v tnh trao i thng tin qua mng m ngi s dng t ci t n ln trn my ca mnh. Ngoi ra hin nay cn rt nhiu kiu tn cng khc m chng ta cn cha bit ti v chng c a ra bi nhng hacker. 1.3. Phng php chung ngn chn cc kiu tn cng thc hin vic ngn chn cc truy nhp bt hp php i hi chng ta phi a ra nhng yu cu hoch nh chnh sch nh: xc nh nhng ai c quyn s dng ti nguyn ca h thng, ti nguyn m h thng cung cp s c s dng nh th no nhng ai c quyn xm nhp h thng. Ch nn a ra va quyn cho mi ngi thc hin cng vic ca mnh. Ngoi ra cn xc nh quyn li v trch nhim ca ngi s dng cng vi quyn li v ngha v ca ngi qun tr h thng. Hin nay, qun l thng tin truy nhp t ngoi vo trong hay t trong ra ngoi ngi ta thit lp mt bc tng la (Firewall) ngn chn nhng truy nhp bt hp php t bn ngoi ng thi nhng server thng tin cng c tch khi cc h thng site bn trong l nhng ni khng i hi cc cuc xm nhp t bn ngoi. Cc cuc tn cng ca hacker gy nhiu thit hi nht thng l nhm vo cc server. H iu hnh mng, cc phn mm server, cc CGI script... u l nhng mc tiu cc hacker khai thc cc l hng nhm tn cng server. Cc hacker c th li dng nhng l hng trn server t kch vo cc trang web v thay i ni dung ca trang web , hoc tinh vi hn na l t nhp vo mng LAN v s dng server tn cng vo bt k my tnh no trong mng LAN . V vy, vic m an ton tuyt i cho pha server khng phi l mt nhim v n gin. iu phi lm trc tin l phi lp kn cc l hng c th xut hin trong ci t h iu hnh mng, t cu hnh cc phn mm server, cc CGI script, cng nh phi qun l cht ch cc ti khon ca cc user truy cp. Vic bo mt thng tin c nhn ca ngi s dng truyn i trn mng cng l mt vn cn xem xt nghim tc. Ta khng th bit rng thng tin ca chng ta gi i trn mng c b ai nghe trm hoc thay i ni dung thng tin khng hay s dng thng tin ca chng ta vo cc mc ch khc. c th m bo thng tin truyn i trn mng mt cch an ton, i hi phi thit lp mt c ch bo mt. iu ny c th thc hin c thng qua vic m ho d liu trc khi gi i hoc thit lp cc knh truyn tin bo mt. Vic bo mt s gip cho thng tin c bo v an ton, khng b k khc li dng. Ngy nay, trn Internet ngi ta s dng nhiu phng php bo mt khc nhau nh s dng thut ton m i xng v m khng i xng (thut ton m cng khai) m ho thng tin trc khi truyn trn internet. Tuy nhin ngoi cc gii php phn mm hin nay ngi ta cn p dng c cc gii php phn cng. Mt yu t ch cht chng li truy nhp bt hp php l yu t con ngi, chng ta phi lun lun nhc nh mi ngi c thc trong vic s dng ti nguyn chung, trnh nhng s c lm nh hng ti nhiu ngi.

Cng tc bo mt thng c bt u bng nhng cch thit lp ngay trn h thng, cng nh chnh sch ca cng ty (cc Group Policy trin khai): i vi cc ti khon trn h thng: 9 i password theo nh k vi cc password phc tp vi di t nht l 6 k t trong phi c k t phc tp. 9 Xc nh thi gian c th ng nhp vo h thng, thot khi h thng khi ht thi im s dng mng. 9 Users ch c php s dng mt my c nh no v my phi gia nhp vo Domain. 9 i vi ni lu tr: m bo phn quyn mt cch hp l, hn ch nhng phn quyn mc nh.

9 Cp quyn ph hp cho tng nhm ngi c trch nhim v tng tc vi d liu. 9 9 m bo lun lun c backup phc hi khi c s c. An ton v mt vy l: gii php chng chy, s c v in.

9 D liu truyn ti phi m bo an ton, khng c s thay i hoc nh cp thng tin. i vi h thng: 9 m bo h thng lun lun c cp nht, khng ch cc h iu hnh m cn c nhng ng dng ca ngi dng. 9 S dng cc chng trnh Antivirus, AntiSpyware. mt cch hp l v ph hp. 9 Trin khai cc chnh sch ph hp cho vic theo di, bo tr cng nh nng cp h thng. 9 Ghi nhn cc s kin.

l mt s cng tc phi thc hin m bo tnh bo mt cho h thng; bao gm vai tr ca cc IPO chnh sch - ngi qun tr - ngi dng. Kt lun:

Nhim v bo mt v bo v gm ba hng chnh sau: 9 9 9 Bo m an ton cho pha server Bo m an ton cho pha client Bo mt d liu v bo mt thng tin trn ng truyn Tn cng trc tip Nghe trm trn mng Gi mo a ch

Cc hnh thc tn cng trn mng 9 9 9

9 9 9

V hiu ho cc chc nng ca h thng Tn cng vo cc yu t con ngi i password theo nh k

Phng php chung ngn chn cc kiu tn cng 9 Xc nh thi gian c th ng nhp vo h thng, thot khi h thng khi ht thi im s dng mng. 9 m bo phn quyn mt cch hp l, hn ch nhng phn quyn mc nh. 9 Cp quyn ph hp cho tng nhm ngi c trch nhim v tng tc vi d liu. 9 m bo lun lun c backup phc hi khi c s c. 9 m bo h thng lun lun c cp nht, khng ch cc h iu hnh m cn c nhng ng dng ca ngi dng. 9 S dng cc chng trnh Antivirus, AntiSpyware. mt cch hp l v ph hp. 9 Trin khai cc chnh sch ph hp cho vic theo di, bo tr cng nh nng cp h thng.

BI 2: GII THIU V CI T ISA SERVER 2004

Mc tiu:

Hiu bit v phn mm ISA Server Bit cch ci t chng trnh ISA Server

2.1.

Gii thiu

Trong s nhng sn phm tng la (firewall) kim chc nng NAT trn th trng hin nay th ISA ( Internet Connection Sharing ) ca Microsoft c nhiu ngi yu thch do kh nng bo v h thng mnh m cng vi c ch qun l linh hot. ISA Server 2004 Firewall c hai phin bn Standard v Enterprise phc v cho nhng mi trng khc nhau. ISA Server 2004 Standard p ng nhu cu bo v v chia s bng thng (cn gi l Internet Connection Sharing) cho cc doanh nghip c quy m va v nh. Vi phin bn ny chng ta c th xy dng firewall kim sot cc lung d liu vo v ra h thng mng ni b ca Doanh nghip, kim sot qu trnh truy cp ca ngi dng theo giao thc, thi gian v ni dung nhm ngn chn vic kt ni vo nhng trang web c ni dung khng thch hp. Bn cnh chng ta cn c th trin khai h thng VPN Site to Site hay Remote Access h tr cho vic truy cp t xa, hoc trao i d liu gia cc vn phng chi nhnh. i vi cc Doanh nghip c nhng h thng my ch quan trng nh Mail Server, Web Server cn c bo v cht ch trong mt mi trng ring bit th ISA 2004 cho php trin khai cc vng DMZ (thut ng ch vng phi qun s - khng c s tn cng ca Hacker hay s phng th ca ngi qun tr mng) ngn nga s tng tc trc tip gia ngi bn trong v bn ngoi h thng. Ngoi cc tnh nng bo mt thng tin trn, ISA 2004 cn c h thng m (cache) gip kt ni Internet nhanh hn do thng tin trang web c th c lu sn trn RAM hay a cng, gip tit kim ng k bng thng h thng. Chnh v l do m sn phm firewall ny c tn gi l Internet Security & Aceleration (bo mt v tng tc Internet). ISA Server 2004 Enterprise c s dng trong cc m hnh mng ln, p ng nhiu yu cu truy xut ca ngi dng bn trong v ngoi h thng. Ngoi nhng tnh nng c trn ISA Server 2004 Standard, bn Enterprise cn cho php thit lp h thng mng cc ISA Server cng s dng mt chnh sch, iu ny gip d dng qun l v cung cp tnh nng Load Balancing (cn bng ti). Tm li, ISA Server 2004 c cc chc nng chnh: 9 Chia s kt ni internet chia s bng thng ca ng tryn internet. 9 Lp Firewall Server, kim sot, khng ch cc lung d liu truy cp t ngoi vo mng ni b hoc ngc li. 9 Tng tc truy cp Web bng gii php Cache trn Server 9 H tr thit lp h thng VPN (mng ring o) vi ISA Server lm VPN Server. 9 ISA Server 2004 Enterprise cn c thm tnh nng Load Balancing h tr gii php cn bng ti gia 2 hay nhiu ng truyn internet. 2.2 Ci t ISA 2004. Cc m hnh mng dng ISA Server:

ISA Server kim nhim Domain Controller, File Server, Web Server, Mail Server

9 ISA Server to thnh mt Firewall, ngn cch internet vi cc Server khc trong mng.

Trc khi ci t ISA Server 2004 9 Vi thut ng dng trong ISA Server o External network: cc host giao tip vi ISA Server qua card giao tip internet trn my ISA o Internal network: cc host thuc mng ni b - giao tip ISA Server qua card giao tip ni b o Local host: my ISA Server o Firewall: H thng kim sot cc lung d liu ra/vo, ngang qua Local host. o Web Caching: Ni lu tr (tm thi) d liu t cc Web Server i vo internet ngang qua ISA Server. 9 Chun b my trc khi ci ISA Server:

o My ch phi ci Windows 2003 server, c 2 NIC. Mt dng giao tip ni mng v mt dng giao tip ra Internet. o Server nn c DHCP ( cp a ch IP ng) v DNS ( phn gii tn min). o t tn 2 card mng trn my sao cho d nhn din. V d: Local v Internet.

o Xc lp a ch IP tnh cho cc card mng Local:

o Xc lp a ch IP tnh cho cc card mng Internet:

Tin hnh ci t ISA Server 2004 1. M file ISAAutorun.exe trn CDROM ISA 2004.

2. Mn hnh Setup ISA 2004 Chn Install ISA Server 2004

3. Chn kiu ci t: o Typical: ch ny ch ci t mt s dch v ti thiu o Complete: tt c cc dch v s c ci t nh Firewall; Message Screener; Firewall Client Installation Share o Custom: cho php chn nhng thnh phn cn ci t ca ISA Server 2004 y chng ta chn kiu ci t l Typical v gi mc nh ng dn th mc ci t b ISA Server Next

4. Xc nh chnh xc dy a ch IP thuc Internal Network bng cch nhn nt Add

192.168.10.1 -- 192.168.10.255

5. Nu trc y, cc Client trong internal ci t ISA Firewall Client 2000 th check vo Allow computers running ealer version of Firewall Client software to connect chng c th kt ni vi ISA 2004 Server

6. Tip tc ci t nhn Finish hon tt qu trnh ci t ISA 2004. Kt lun:

ISA Server 2004 c cc chc nng chnh: 9 Chia s kt ni internet chia s bng thng ca ng tryn internet.

9 Lp Firewall Server, kim sot, khng ch cc lung d liu truy cp t ngoi vo mng ni b hoc ngc li. 9 9 Tng tc truy cp Web H tr thit lp h thng VPN (mng ring o) vi ISA Server lm VPN Server.

BI 3: FIREWALL POLICIES TRN ISA SERVER

Mc tiu:

Hiu bit v nm r cc chnh sch trn ISA Server Qun l cc giao thc truy cp vo, ra thng qua ISA Server

3.1.

Gii thiu

Mc nh, sau khi ISA Server 2004 ci t hon tt, ISA Server 2004 s thay th dch v Routing and Remote Access ca Windows Server thc hin chc nng NAT. Tuy nhin, Firewall Policy ca ISA Server mc nh l ng tt c cc port (TCP ln UDP) trn my ISA Server. iu ny lm cho tt c giao tip mng t Server n Internal hoc External u b kho. Firewall Policies trn ISA Server cho php ngi qun tr t ra cc quy tc (Rule) cho php (Allow) hoc cm (Deny) cc lung d liu (theo giao thc kt ni Protocol) di chuyn t ni ny n ni khc (Source v Destination), p t cho mt hay nhiu ngi dng c th no (Users). Cc lung d liu i ngang qua ISA Server s chu s kim duyt ca Firewall Policies da trn cc quy tc m ngi qun tr t ra hoc do ISA mc nh sn. Cc quy tc s c tham chiu theo th t (Order) t trn xung di. Khi gp mt rule tho u kin ca lung d liu, lung d liu s b chn hoc cho qua m khng quan tm n cc rule t pha di. ISA Server 2004 Firewall c 3 dng chnh sch bo mt l: System policy, Access rule v Publishing rule. System policy: Thng n (hiden), c dng cho vic tng tc gia firewall v cc dch v mng khc nh ICMP, RDP... System policy c x l trc khi access rule c p dng. Sau khi ci t cc system policy mc nh cho php ISA Server s dng cc dch v h thng nh DHCP, RDP, Ping... Access Rule: L tp hp cc quy tc truy cp cc lung d liu nh Internet, Mail, FTP, DNS i ngang qua ISA Server Publishing Rule: Dng cung cp cc dch v nh Web Server, Mail Server trn lp mng Internal hay DMZ cho php cc ngi dng trn Internet truy cp Cu hnh ISA Firewall Policy thng qua giao din ca chng trnh ISA Management Console trn chnh my ISA Server hoc ci cng c qun l ISA Management Console trn mt my khc v kt ni n ISA Server thc hin cc thao tc qun tr t xa. Giao din ca ISA Server Management console c 3 phn chnh l: Khung bn tri: duyt cc chc nng chnh nh Server name, Monitoring, Firewall Policy, Cache... Khung gia: hin th chi tit cc thnh phn chnh m chng ta chn nh System Policy, Access Rule... Khung bn phi: cn c gi l Tasks Panel cha cc tc v c bit nh Publishing Server, Enable VPN Server...

3.2

Cho php cc my client truy cp y vo ISA Server

Mt quy tc kiu Access Rule do ngi qun tr t ra s bao gm cc thnh phn: 9 9 9 9 9 9 Rule name: tn ca quy tc - t tu . Tn ny s gi nh ni dung ca quy tc Action: Hnh x ca quy tc Cho (Allow) hoc Cm (Deny) Protocol: loi giao thc (hoc dch v) m quy tc tc ng ti Source: ngun xut pht ca lung d liu Destination: ch n ca lung d liu Users: Nhng ti khon s chu tc ng ca quy tc

Di y l thao tc to ra mt Rule cho php tt c c Client trong mng ni b truy cp tt c dch v trn ISA Server, p t cho tt c ngi dng mng. 1. M ISA Managerment (trong Start Menu Programs Microsoft ISA Server), chn Firewall Policy Create New Access Rule

2. G vo Internal Access to Local host trong Access Rule Name click Next.

3. Mc Rule Action chn Allow click next

4. Ca s Protocol chn All outbound traffic click Next

5. Trong Access rule Source chn Add chn Internal close sau click Next

6. Trong Access rule Destinations chn Local Host click Close sau click Next

7. Chn All Users click Next

8. Click Finish hon tt.

Kt qu:

Sau khi quy tc ny c Apply, tt c cc Client thuc Internal s truy cp c tt c giao thc v dch v trn my Local Host. p t cho tt c mi ngi dng 3.3. Cho php cc my ni b truy cp tt c dch v trn External. 1. Trong Firewall Policy, to mt Access rule mi.

2. Nhp tn ca rule (Access Rule Name) v d nh: Internal Access Internet click Next. 3. Ti Rule Action chn Allow (Kiu hnh x ca quy tc l Cho php) click Next

4. Trong Protocol, chn All outbound traffic (p t tt c cc lung d liu ca mi dch v) click Next

5. Trong Access Rule Source chn Add chn Internal close sau click Next

6. Trong Access rule Destinations chn External, click Close sau click Next

7. Chn All Users trong ca s User Sets click Next

8. Click Finish ri Apply hon tt. Kt qu:

Tt c cc my thuc mng ni b s c php truy xut tt c dch v trn internet thng qua ISA Server. p t cho tt c mi ngi dng 3.4. Cho php Local Host truy cp Internet.

Cch to tng t nh hai phn trn: Rule Name: Local Host Access to Internet. Action: Allow Protocols: All outbound traffic. Source: Local Host Destination: External User: All User Click Apply cp nht Access rule va to Kt qu:

My ISA Server c php truy cp tt c dch v trn internet. p t tt c ngi dng. 3.5. Cho php ISA Server cp IP ng cho cc Client

Gi nh, my ISA Server cng l mt DHCP Server. Chc chn rng, sau khi ci t ISA Server, chc nng DHCP trn ISA Server s b kho li. Cng nn hiu rng, dch v DHCP hot ng 2 chiu: 9 T cc DHCP Client, tn hiu xin IP c pht ln mng (gi l DHCP request port 67). 9 DHCP Server n nhn yu cu ny v hi p thng s IP cho DHCP Client (gi l DHCP reply port 68) To mt rule cho php dch v DHCP hot ng theo mu 1. Access rule name: Allow DHCP 2. Rule Action: Allow 3. Protocol: Ti This rule applies to: chn Selected protocols Click Add chn 2 giao thc DHCP Request v DHCP Reply

4. Access rule source: chn Internal v Local Host 5. Access rule destination: chn Local Host v Internal 6. User sets: chn All User 7. Click Apply cp nht Access rule va to Kt qu:

Cc my thuc internal tha hng dch v DHCP t ISA Server 3.6. Cho php cc Client v Local host truy vn DNS

Tng t nh DHCP, dch v DNS server ci t trn ISA Server cng khng c php hot ng nu cha to rule cho php DNS cng hot ng 2 chiu nh DHCP: 9 T cc DNS Client, tn hiu truy vn tn min, hoc truy vn IP (gi l DNS Client) c gi n DNS Server 9 Nu ISA Server cng l DNS Server, n s tip nhn yu cu truy vn v gii p IP (hoc tn min) cho DNS Client (DNS Server v DNS cng dng port 53) To mt rule cho php dch v DNS hot ng theo mu 1. Access rule name: Allow DNS 2. Rule Action: Allow 3. Protocol:

 Ti This rule applies to: chn Selected protocols Click Add chn 2 giao thc DNS v DNS Server (nu DNS server ch lm nhim v Forwaders, c th khng cn np DNS Server)

4. Access rule source: chn Internal v Local Host 5. Access rule destination: chn Local Host v Internal 6. User sets: chn All User 7. Click Apply cp nht Access rule va to Kt qu:

Tt c cc Client trong mng ni b tha hng dch v DNS cung cp t ISA Server

Lu : Trng hp my ISA server khng phi l DNS Server, phi thay i Destination l External. C th thay Local Host bng mt hay nhiu DNS Server c th no trn mng. iu ny i hi ngi qun tr phi nh ngha trc i tng Computer hoc Computer sets

Kim tra kh nng phn gii tn min. 9 Start menu Run CMD (m command prompt) 9 G lnh: nslookup (lnh tra cu DNS) 9 >server 203.113.188.1 (ch nh DNS server dng ra cu tn mn) 9 >www.google.com (tra cu IP address ca Google)

3.7.

Cho php cc client truy xut mail chuyn dng (SMTP, POP3 hoc IMAP)

Mail chuyn dng: truy xut mail bng phn mm chuyn dng nh: MS Outlook Express, MS Outlook, Thurnbird, Netscape Mssenger (khng phi truy xut mail trn Web) Dch v mail cng hot ng 2 chiu: 9 T cc mail Client, th s c gi n mail Server bng giao thc SMTP (Simple Mail Transfer Protocol) dng port mc nh l 25 9 Th nhn v t Mail Server bng 1 trong cc giao thc: o o o POP3 (Post Office Protocol) port mc nh 110 IMAP4 (Internet Mail Access protocol) port 143 POP3S (POP3 Security) port 995

IMAP4S (IMAP4 Security) port 993

To mt access rule cho php dch v Mail hot ng theo mu: 1. Access rule name: Allow Mail 2. Rule Action: Allow 3. Protocol: Ti This rule applies to: chn Selected protocols Click Add chn cc giao thc SMTP, POP3, IMAP

4. Access rule source: chn All Networks (tt c cc mng) 5. Access rule destination: chn All Networks 6. User sets: chn All User 7. Click Apply cp nht Access rule va to Kt qu:

Tt c cc my thuc tt c mng c php truy cp dch v gi/nhn email ln nhau. p t cho tt c ngi dng 3.8. Qun l v gim st truy cp Internet trong ISA 2004.

Mc d h thng kt ni c Internet, nhng mt s Doanh nghip c nhng yu cu ring v chnh sch h thng nh: lc b Web en (khng cho nhn vin truy cp); khng cho php chat bng mt cng c no ; cho php ti tp tin thng qua FTP Bn cnh , phc v nhu cu duyt web, giao thc HTTP c cho php s dng nhng cm khng cho ti nhng tp tin c th thc thi trn h thng Windows qua HTTP ngn nga s ly nhim virus. ISA Firewall Policy cho php thc hin iu ny.

3.8.1. Cm tt c cc nhn vin truy cp vo nhng website khng mong mun Web Filter.
thc hin, u tin, phi to mi mt i tng mng kiu URL sets. i tng ny dng cha danh sch cc a ch URL (Uniform Resource Locator tm hiu l ni cha ti nguyn ngi dng truy cp) m ngi qun tr mun cm (hoc cho) truy cp ti . 1. Thao tc to mi mt URL sets v nhp vo cc URLs 2. Trong ISA Managerment, chn Toolbox (nm nhnh bn phi) Network Objects. Click New URL Set

3. Ti dng Name: nhp tn ca b URL sets. V d Webs Denied 4. Click nt New nhp vo cc URL cho b Sets (Xem hnh minh ho)

Click OK thm URL set Webs Dinied vo danh sch i tng. 5. To Access rule: Web Filter 6. Access rule name: Web Filter 7. Rule Action: Deny

8. Protocol: chn Selected protocols v Add vo 2 giao thc HTTP v HTTPS

9. Access rule source: chn Internal 10.Access rule destination: chn URL sets Webs Denied

11.User sets: chn All User 12.Click Apply cp nht Access rule va to Kt qu:

Tt c my ni b khng c php truy cp vo cc Web site c trong danh sch Webs Denied. p t tt c ngi dng

3.8.2. Cm cc nhn vin thuc phng ban no truy cp Internet trong gi lm vic.
u tin ngi Qun tr phi to biu thi gian lm vic da vo thit lp cc chnh sch Firewall theo thi gian. Tng t, nu mun Firewall Policy p t cho ngi dng c th, mi ngi dng phi s hu mt ti khon truy cp vo h thng mng Domain ca Doanh nghip. (Xin xem li hc phn Windows 2003 Server) 1. Xc nh biu thi gian lm vic trong c quan (Schedule) 2. Trong ISA Managerment, chn Toolbox ( nhnh bn phi) Schedules Click New

3. To mi Schedule gm cc ni dung Name: tn ca Schedule Description: m t chi tit ni dung schedule (nu cn)

Cc vung biu th gi trong ngy. Trong , nhng mu xanh dng tng trng cho nhng gi m schedule s c hiu lc. Ngc li, nhng mu trng l gi khng c hiu lc ca schedule Hnh minh ho di y l schedule quy nh gi lm vic t 8h00 n 12h00 v t 14h00 n 18h00 cc ngy trong tun, tr Ch nht. Ring chiu th 7, khng khng ch thi gian.

To nhm ngi dng trong ISA Server

Vic to nhm ngi dng (gi l User sets) s gip cho ngi Qun tr p t access rule cho ngi dng c th trong mng. 1. Trong ISA Managerment, chn Toolbox ( nhnh bn phi) Users Click New

2. t tn cho i tng User set. V d Sale Group 3. Trong ca s Users: Chn Add... Windows user and Groups... 4. Chn cc Ti khon thuc AD mun a vo b User Sets click Next Finish.

3.8.3. To Access Rule cm nhm Sale Group kt ni internet trong gi lm vic:

Cc la chn cho Access rule ny: 9 Access rule name: Cam Sales truy cap internet 9 Rule Action: Deny 9 Protocol: chn All outbound protocol 9 Access rule source: chn Internal 9 Access rule destination: chn External 9 User sets: loi b All User. Thm vo Sale Group Kt qu:

Sau khi to xong Access rule, Properties cho Access rule ny chn tab Schedule p t thi gian m Access rule c hiu lc

Click Apply cp nht Access rule va to

3.8.4. To access rule cho php cc nhn vin thuc phng ban no truy cp internet trong gi c qui nh.
Cc la chn cho Access rule ny: 9 Access rule name: Cho truy cap trong gio lam viec 9 Rule Action: Allow 9 Protocol: chn All outbound protocol 9 Access rule source: chn Internal 9 Access rule destination: chn External 9 User sets: loi b All User Sau khi to xong Access rule, Properties cho Access rule ny chn tab Schedule chn Work times p t thi gian m Access rule c hiu lc Click Apply cp nht Access rule va to Kt qu:

Tt c cc my ni b c php truy cp internet trong thi gian lm vic. p t cho tt c mi ngi

Nn lu n th t (Order) ca 2 access rule Cm v Cho truy cp internet phn 3.5.2 v 3.5.3. Nu Access rule loi Allow c xp trn rule Deny, cc ngi dng thuc Sale Group s c php truy cp (do rule Allow p dng cho All Users
3.8.5. Cho php cc nhn vin truy cp Web ch c Text v Image.
Cc la chn cho Access rule ny: 9 Access rule name: All Web Text. 9 Rule Action: Allow 9 Protocol: chn Selected protocols v Add vo 2 giao thc HTTP v HTTPS 9 Access rule source: chn Internal 9 Access rule destination: chn External 9 User sets: loi b All User Sau khi to xong Access rule, Properties cho Access rule ny chn tab Content type qui nh loi ni dung ti liu c hoc khng c hiu lc i vi Access rule. y, chng ta ch cho php truy cp ni dung thuc dng ti liu (Documents), ch (Text), siu vn bn (HTML Documents) v nh (Images)

Vic khng ch ni dung ti liu truy cp s cho ngi qun tr nhiu gii php trong vic gim bng thng, ngn chn xem phim, nghe nhc online, ngn chn virus (dng thc thi - *.exe, *.dll) t internet nhim vo mng ni b. Kt lun:

Mc nh, sau khi ISA Server 2004 ci t hon tt, ISA Server 2004 s thay th dch v Routing and Remote Access ca Windows Server thc hin chc nng NAT. Tuy nhin, Firewall Policy ca ISA Server mc nh l ng tt c cc port (TCP ln UDP) trn my ISA Server. Firewall Policies trn ISA Server cho php ngi qun tr t ra cc quy tc (Rule) cho php (Allow) hoc cm (Deny) cc lung d liu (theo giao thc kt ni Protocol) di chuyn t ni ny n ni khc (Source v Destination), p t cho mt hay nhiu ngi dng c th no (Users). Cc lung d liu i ngang qua ISA Server s chu s kim duyt ca Firewall Policies da trn cc quy tc m ngi qun tr t ra hoc do ISA mc nh sn. Cc quy tc s c tham chiu theo th t (Order) t trn xung di. Khi gp mt rule tho u kin ca lung d liu, lung d liu s b chn hoc cho qua m khng quan tm n cc rule t pha di. ISA Server 2004 Firewall c 3 dng chnh sch bo mt l: System policy, Access rule v Publishing rule. 9 System policy: Thng n (hiden), c dng cho vic tng tc gia firewall v cc dch v mng khc nh ICMP, RDP... System policy c x l trc khi access rule c p dng. Sau khi ci t cc system policy mc nh cho php ISA Server s dng cc dch v h thng nh DHCP, RDP, Ping...

9 Access Rule: L tp hp cc quy tc truy cp cc lung d liu nh Internet, Mail, FTP, DNS i ngang qua ISA Server 9 Publishing Rule: Dng cung cp cc dch v nh Web Server, Mail Server trn lp mng Internal hay DMZ cho php cc ngi dng trn Internet truy cp

BI 4: PUBLISSING WEB V MAIL TRONG ISA 2004.

Mc tiu:

Bit cch Publish cc Web Server v Mail Server ra mng ngoi

4.1.

Gii thiu:

ngi dng bn ngoi Internet c th truy cp n cc Mail hoc Web server trong Doanh nghip mnh chng ta cn phi "Publish - xut bn" chng thng qua ISA Server ca mnh Cn lu l c th truy cp email th phi c thm nhng protocol khc nh DNS, POP, SMTP... V vy c th chng ta cn cho php cc yu cu v DNS t Mail Server vi Domain Controler (c ci tch hp DNS) trong lp mng Internal hay vi cc ISP DNS 4.2. Web Server Publishing.

Gi nh, trong ni mng ca Bn c mt my Web Server (IP address l 192.168.1.100). Web Server ny ngn cch internet bi ISA Server. ngi dng internet truy xut Web Server trn qua ISA Server, ngi qun tr phi thc hin Publish Web Server trn ISA Firewall. 1. Trong ISA Managerment Firewall Policy Tasks Publishing a Web Server

2. t tn cho Rule ti Web publishing

3. rule name 4. Chn Action l Allow Click Next. 5. Trong Define Web Server to publish (nh Server s c publish), nhp IP address ca Web Server mun publish. V d: 192.168.1.100 Nu mun ngi dng internet ch c php truy cp ti mt Virtual Site trn Web Server nhng li tng nhm l ang truy cp vo Website gc th check vo Forward the origin host header instead of actual one v nhp ng dn ca Virtual site

6. Ca s Publish Name Detail cho php la chn kh nng Web server p ng yu cu truy cp i vi ngi dng thuc domain ch nh (this Domain name type below) hoc i vi ngi dng thuc bt k Domain no (Any Domain name).

7. Ca s Select Web Server Listener cho php qui nh IP address v port m ISA server s tip nhn yu cu truy cp Web t internet vo. Nu ngi qun tr cha nh ngha mt Listener no th click New to mi.

8. To mi mt Web listener vi tn v d l: Web listener

9. Ca s IP Addresses: trong danh sch Listen for request from these networks (Lng nghe yu cu truy cp t nhng mng ny), chn External (Ngun gi yu cu truy cp t tt c cc IP address trn internet). click Next

10. Ca s Port Specification: ch nh port nhn yu cu truy cp Web. mc nh l 80.

11. Chn Finish tr li mn hnh Select Web Listener . Ti y, c th tinh chnh li Listener bng nt Edit hoc chn Listener va to click Next.

12. Chn p t cho All Users v Finish Kt qu:

Tt c cc yu cu truy cp Web gi t Internet n ISA Server (qua port 80) s c chuyn n Web server 192.168.1.100. Web Server s p ng yu cu truy cp Web cho tt c ngi dng. 4.3. Mail Server Publishing.

1. Publish Mai server cho Client truy cp trn Web (WebMail) 2. Trong ISA Managerment Firewall Policy Tasks Publish a Mail Server

3. t tn cho Rule. V d nh Publishing Exchange server

4. Ca s Select Access type a ra 3 kiu truy xut t cc Client bn ngoi vo Mail Server trong ni mng: 5. Web Client Access : Cho php truy cp Mail Server qua Web bng cch dch v nh: OWA, OMA 6. Client access: Cho php Client truy cp mail bng cc trnh duyt mail chuyn dng qua giao thc SMTP, POP,IMAP... 7. Server-to-Server: Chuyn tip mail gia cc Mail Server y, chn Web Client Access.

8. Ca s Select Service: Chn Outlook web access v Exchange ActicveSync.

9. Ca s Bridging mode cho 3 la chn thit lp kt ni gia Client v Mail Server theo 3 kiu: 10. Secure connection to clients: Thit lp bo mt cho kt ni gia ISA Server v mail clients 11. Secure connection to clients and mail Server: Thit lp bo mt cho kt ni gia Mail Server - ISA Server - mail clients 12. Standard connections only. Khng bo mt kt ni

13. Ca s Specify Web Mail server yu cu nhp IP address ca Mail Server.

14. Ca s Public Name Details: c ngha tng t publish web. Chn Any domain name.

15. Ca s Select Web Listener: y, cn phi nhn thc r rng dch v Webmail cho php ngi dng truy cp mail da trn Web. iu ny c ngha port ca WebMail cng l HTTP port (80). Do vy, chn Web listener to phn 3.6.1.

16. Trong User sets chn All users. 17. Click Apply cp nht qu trnh thit lp. Kt qu:

Publish mail Server 192.168.1.99 cho mi ngi truy cp theo kiu WebMail Publish mail Server cho truy cp bng trnh duyt mail chuyn dng. 1. Trong ISA Managerment Firewall Policy Tasks Publish a Mail Server

2. t tn cho Rule. V d nh Publish mail server with POP3 3. Ca s Select Access type a ra 3 kiu truy xut t cc chn Client access: (Cho php Client truy cp mail bng cc trnh duyt mail chuyn dng qua giao thc SMTP, POP,IMAP...)

4. Trong Select Services Chn cc dch v nh: POP3, IMAP4 v SMTP.

5. n nh IP address ca Mail Server ti Select Server

6. Ch nh v tr ca cc mail Client truy cp vo Mail Server. Chng hn, chn External 7. (All IP address)

8. Chn Finish hon tt. 9. Click Apply cp nht qu trnh thit lp Kt qu:

Ba giao thc cho php truy cp mail Server 192.168.1.99 t cc mail client qua ISA Server bng trnh duyt mail chuyn dng Kt lun:

ngi dng bn ngoi Internet c th truy cp n cc Mail hoc Web server trong Doanh nghip mnh chng ta cn phi "Publish - xut bn" chng thng qua ISA Server ca mnh Cn lu l c th truy cp email th phi c thm nhng protocol khc nh DNS, POP, SMTP... V vy c th chng ta cn cho php cc yu cu v DNS t Mail Server vi Domain Controler (c ci tch hp DNS) trong lp mng Internal hay vi cc ISP DNS

BI 5: TIT KIM BNG THNG INTERNET VI TNH NNG CACHE V CONTENT DOWNLOAD JOB
Mc tiu:

Hiu bit v cch hat ng ca cache Bit cch cu hnh cache trong ISA Server

5.1.

Cache v hot ng ca Cache nh ngha Cache trn ISA:

Cache l mt khng gian a cng (trn my ISA Server) dng lu tr cc d liu i ngang qua ISA server. Mc nh, sau khi ci t ISA server, cache khng hot ng bi v khng gian a cng dng lm cache cha c xc nh.

Hot ng ca Cache:

C mt h thng kt ni LAN Internet nh hnh di. My ISA Server c cu hnh Cache:

1. Client 1 gi yu cu truy cp Web ti ISA Server. 2. ISA Server chuyn yu cu ra Web Server trn internet 3. Thng tin hi p t Web Server s c chuyn v ISA Sever. ISA S lu thng tin vo cache. 4. Mt bn copy ca thng tin c chuyn v Client 1. 5. Khi Client 2 gi yu cu truy cp web ti ISA Server,

6. Nu thng tin ca yu cu c sn trong cache, ISA Server s hi p v Client 2 m khng cn truy xut ngoi internet.

u nhc im ca Cache trn ISA server:

Cache gip tng hiu sut s dng nhng thng tin ti v c t internet. T , lm gim ti cho bng thng ng truyn internet,. ng thi, ngi dng Client s cm thy truy cp web nhanh hn Do thng tin thng ly t cache, ngi dng thng ch c truy cp nhng thng tin c. Cc thng tin mi hn phi i ISA cache lm ti (refresh) li vo lc thi gian lu tr thng tin trong cache ht hn

5.1.1. Cu hnh Cache trong ISA Management

1. Ti nhnh bn tri ca ISA server 2004 Management, m rng mc Configuaration Click chut phi vo Cache chn Define Cache Drives... (nh a lm cache)

2. ISA Server yu cu a cha cache phi c file system l NTFS. Xc nh dung lng ti a cho cache ti Maximume cache size (MB). Dung lng cho cache do nh qun tr t xc lp tu thuc mt truy cp Web v FTP ca cc Client v dung lng cn trng ca a. 3. Click nt Set n nh dung lng cache.

4. Sau khi cache c nh ngha, ngi qun tr cn phi kch hot cho Cache bng cch: Click chut phi vo mc Cache chn Properties...

5. Chn tab Active Caching nh du check vo Enable Active Caching (Kch hot cho cache)

6. ISA cho ngi dng la chn 1 trong 3 gii php caching: Frequenly: Nu ngi qun tr mun gia tng tn sut truy vn thng tin mi trn cc Web (hay FTP) server. Less Frequenly: Nu ngi qun tr cho rng vic gim bng thng internet l quan trng hn so vi vic gia tng tn sut lm mi thng tin trong cache. Normally: C 2 hnh ng, lm mi thng tin trong cache v gim bng thng c ngi qun tr t ngang nhau. 7. Ty thuc vo nhu cu, chn 1 trong 3 gii php trn v Click OK xc nhn. 8. Do c cu hnh thm dch v mi. Khi Apply phi chn Save the changes and restart the services

5.1.2. Xc lp Cache Rule.

Nh cp trn, Cache trong ISA server gip tit kim bng thng, nhng lm hn ch truy cp nhng thng tin mi nh: bo ch, tm kim gii quyt vn ny, ngi qun tr c th to mi mt cache rule khng cho cache nhng thng tin t nhhng URLs i hi lun cp nht thng tin mi nht. Thao tc to Cache Rule 1. Trn khung Task chn Create a Cache Rule

2. t tn cho Cache Rule. V d l: None Caching. 3. Ca s Cache rule destination xc nh ch n l cc URL chu tc ng ca cache rule. y, URLs l a ch nhng web site cha thng tin cn cp nht mi lin tc. Click Add a danh sch URLs ny vo Cache destination

4. Nu cha to mt danh sch cha cc URLs none caching no, click New URL Set

5. Nhp tn cho URL Set l No Cache Webs. Sau , chn nt New nhp vo a ch ca nhng Web site s khng lu tr thng tin trong ISA cache.

6. Nhn OK quay tr li ca s Add New Network Entities, m mc URL Sets chn No Cache Webs Add

7. Do d nh ca phn ny l khng cache ni dung ca nhng web site lit k trong URL Sets No cache webs, khng quan tm n cc la chn trn mn hnh Content Retrieval

8. Trn ca s Cache Content: chn Never, no content will ever be cached (Khng cache ni dung)

9. Cui cng nhn Finish kt thc qu trnh thit lp.

5.2.

Cu hnh Content Download Job

Gi s, trn h thng ni b c nhiu ngi dng trn thng hay truy cp vo trang web no xem cc thng tin. h tr tng tc truy cp, ngi qun tr s cu hnh ISA Server t ng ti ni dung ca trang web ny lu vo cache trc vo ngy gi no trong tun (gi l Content Download Job) Thao tc cu hnh Content Download Job 1. Ti nhnh bn tri ca ISA server 2004 Management, m rng mc Configuaration Click chut phi vo Cache chn New Content Download Job...

2. t tn cho Content Download Job (V d: ispace.edu.vn) 3. Xc nh thi im chy tin trnh Download

4. Ca s Content download Nhp vo a ch web site cn ti v trong Download content from this URL

5. Chn gi tr mc nh trong cc bc tip theo cui cng nhn Finish hon tt. Cu hnh cho Client s dng Cache v Content download job trn ISA Server

Cc my Client trong mng truy cp internet qua ISA Server theo 2 hnh thc: 9 9 Client s dng ISA Server nh l mt NAT Server Client s dng ISA Server nh l mt Proxy Server

S dng ISA Server nh l mt SecureNAT, cc my Client xem ISA Server l mt Default Gateway. S dng ISA Server nh l Proxy Server, phi p ng 2 iu kin: 9 9 Cu hnh thm chc nng Proxy Server cho ISA Server. Client khai bo Proxy Server cho cc trnh duyt.

Content download job trn ISA Server ch h tr cho nhng Client xem ISA Server nh l mt Web Proxy Server hoc FTP Proxy Server.
Kt lun:

Cache l mt khng gian a cng (trn my ISA Server) dng lu tr cc d liu i ngang qua ISA server. Mc nh, sau khi ci t ISA server, cache khng hot ng bi v khng gian a cng dng lm cache cha c xc nh. Cache gip tng hiu sut s dng nhng thng tin ti v c t internet. T , lm gim ti cho bng thng ng truyn internet,. ng thi, ngi dng Client s cm thy truy cp web nhanh hn Do thng tin thng ly t cache, ngi dng thng ch c truy cp nhng thng tin c. Cc thng tin mi hn phi i ISA cache lm ti (refresh) li vo lc thi gian lu tr thng tin trong cache ht hn

BI 6: CU HNH PROXY SERVER CHO ISA SERVER

Mc tiu:

Hiu bit v proxy Server Cu hnh Proxy Server trong ISA

6.1.

Cu hnh: 1. Trong ISA Server Management chn Network (nhnh bn tri) Properties cho Local Host

2. Ca s Local Host Properties Check mc Enable Web Proxy OK. (ghi nhn port mc nh ca Proxy l 8080)

3. Khai bo Proxy Server cho Client.

Trn my Client: Vo Control Panel Internet Options Chn tab Connection nt LAN Settings Check vo Use a Proxy Server v nhp IP address (hoc tn my) v port ca Proxy

6.2.

S dng ISA Firewall Client t ng cu hnh Proxy

c b source ISA Firewall Client ci t cho cc Client, trn my ISA Server, ngi Qun tr phi np thm thnh phn ISA Firewall Client cho b phn mm ISA Server 2004. 1. Trn my ISA Server: Install li b MS ISA Server 2004 2. Chn Modify thm/bt cc thnh phn.

3. Trong ca s Custom Setup, click vo Firewall Client Installation Share chn This feature will be install on local hard drive (La chn ny s c ci t vo a cng ni b)

4. Nhn Next cho n khi hon tt. Sau khi ci t Firewall Client Installation Share, th mc Clients (trong C:\Program Files\Microsoft ISA Server) s c chia s ln mng (dng Share name l Mspclnt). Th mc ny cha b source ISA Firewall Client.

Ci t ISA Firewall Client trn cc my Client trong mng bng cch chy Setup.exe t b source. Sau khi ci t thnh cng, biu tng ca chng trnh Firewall Client xut hin ti Tray bar.

Khi u, ISA Firewall Client trng thi Disable khng thc hin cu hnh thng s cho my Client. 1. Click phi trn biu tng Firewall Client Configure m trang cu hnh

2. Trong tab General: check vo Enable Microsoft Firewall Client (kch hot Firewall Client) 3. C 2 ch nh ISA Server cho Client: Automatically detect ISA Server: click nt Detect Now chng trnh t ng d tm ISA Server Manually select ISA Server: Ngi dng t nhp tn my (hoc a ch IP) ca ISA Server. Nt Test Server kim tra tnh chnh xc thng tin nhp.

4. Trn tab Web Browser: Check vo Enable Web browser automatic configuaration v click nt Configure Now p t cc thng s cu hnh Proxy cho cc trnh duyt Web c trn my Client. Cc thng s ny s c ly t ISA Server.

S dng Proxy truy cp web, cc my Client c th khng cn khai bo Default Gateway hoc DNS Server. Ch cn khai bo IP address cng Network ID vi ISA Server l
Kt lun:

Proxy c chc nng ca mt firewall (bc tng la), nhng c thm tin ch s dng cache lu tr data. N hot ng nh mt gateway vi kh nng bo mt gia mng LAN v Internet. N s ngn chn vic ngi dng net truy cp ti cc a ch "nhy cm". c b source ISA Firewall Client ci t cho cc Client, trn my ISA Server, ngi Qun tr phi np thm thnh phn ISA Firewall Client cho b phn mm ISA Server 2004.

BI 7: SAO LU V PHC HI THNG TIN CU HNH ISA SERVER

Mc tiu:

Bit cch sao lu v phc hi ISA

7.1.

Sao lu

i vi cc h thng ln vi nhiu phng ban v nhn vin, trong mi b phn li yu cu nhng chnh sch truy cp ring lm cho s lng policy rt nhiu v kh qun l. V vy bo m h thng lun hot ng n nh chng ta cn phi tin hnh sao lu (backup) cc policy mt cch y c th phc hi (restore) khi c s c xy ra. Chng ta c th sao lu ton b ISA Server hay ch mt s cc firewall policy no . 1. M ISA Management Console, chn server name (ISA) v nhn vo Backup the ISA Server Configuration trn khung Tasks Panel

2. Tip theo chng ta t tn ca tp tin sao lu chn ni lu tr v nhn nt Backup Mt hp thoi yu cu t password cho tp tin backup hin ra nhp password OK.

7.2.

Phc hi 1. Chn Restore this ISA Server Configuration trn khung Tasks Pane

2. Xc nh tp tin sao lu chn Restore nhp vo password OK

Lu : Trong trng hp ch sao lu mt firewall policy no chng ta cng tin hnh tng t vi chc nng Export v Import Firewall Policy trn khung Task Panel. Tng kt:

bo m h thng lun hot ng n nh chng ta cn phi tin hnh sao lu

(backup) cc policy mt cch y c th phc hi (restore) khi c s c xy ra. Chng ta c th sao lu ton b ISA Server hay ch mt s cc firewall policy no .

PHN II: TRIN KHAI MULTI VPN

Mc tiu:

Hiu bit cc phng thc kt ni Internet cho mng doanh nghip Cu hnh chia s truy xut Interner vi Proxy, NAT Trin khai VPN site site truyn thng bo mt nhiu site ca doanh nghip Xy dng h thng xc thc tp trung RADIUS X l cc s c kt ni VPN, RADIUS

Phng thc kt ni WAN Internet. Hin nay, cc kt ni ra ngoi Internet a phn u s dng dch v WAN l ADSL. Bn cnh ADSL cn c nhng kiu thu bao khc nh Leased Line, Frame Relay v nhng ng dng trn cc thu bao WAN ngy cng c s dng nhiu nh Frame Relay vi cng ngh VPN MPLS, ADSL vi cc dch v MegaWAN. Trong nhng nm u s dng Internet cn c cng ngh Dial-up. Khi c Internet th vn cn li l s chia s kt ni ny cho ton b hoc mt phn h thng s dng chung Internet ny. Vic chia s Internet c th thc hin bng cc dch v c sn trong Windows hoc s dng phn mm ca hng th ba. Di y l mt s cch thc thc hin: 1. ICS 2. Winroute 3. NAT NAT (Network Address Translation) l mt dch v c sn trong Windows Server, mc ch ca NAT l cho php cc my mn a ch ca my trung gian truy xut qua my mng khc. Thng thng NAT thng c s dng chia s Internet cho ton b mng LAN bn trong. Trc ht, a ch IP c chia lm 2 loi, mt loi dng trong mng LAN c gi l Private, mt dng cho a ch trn Internet l a ch Public. Theo quy c th cc a ch Private khng c php xut hin trn Internet bi v khi mt Server chng hn nh Mail Yahoo reply thng tin yu cu th a ch ch n xut pht t Mail Yahoo s l a ch mng ni b v d nh l 192.168.1.100, nhng a ch th trn th gii chc c khong vi chc ngn, nn d liu s khng chnh xc. Gi s trng hp s dng NAT chia s Internet th u tin my tnh s mn a ch Public ca thit b hoc my tnh ra Internet - a ch l duy nht ti thi im truy cp. Khi Mail Yahoo reply thng tin yu cu th s n a ch Public , v ti thit b s i chiu li a ch Public do my tnh no yu cu v s gi li ti my tnh hon tt qu trnh chuyn tin. S dng NAT cn c u im khc l cc my trong mng LAN c th truy xut Internet nhng cc my tnh Internet rt kh c th truy xut mng LAN nn to c c ch an ton. S dng dch v ICS (Internet Connecting Sharing) ca Windows S dng dch v NAT trong Windows Server S dng phn mm nh Winroute.

Cu hnh NAT bao gm cc bc sau: Kch hot dch v Routing and Remote Access Chn la Card mng kt ni vi Internet (hoc mng mun ti). Cc cu hnh khc (nu cn thit).

1. my tnh s dng NAT cn c 2 card mng. Mt kt ni vi Internet v mt kt ni vi LAN.

2. Kch hot dch v Routing and Remote Access bng cch vo Administrative Tools --Routing and Remote Access. Click chut phi v chn Enable dch v.

3. Chn dch v NAT nu ch thc hin kt ni vi Internet n thun hoc c th chn Custom Configure. y, chn NAT v ch cn chia s kt ni Internet.

Chn kt ni card kt ni vi Internet.

n Next hon tt vic kt ni (ch phi chn ng card kt ni Internet th mi truy xut c Internet).

p dng: s dng dch v NAT mt cch tt nht cn ch b sung thm cc thng s cho cc m Clients nh Default Gateway v DNS. Cch thc hin tt nht l kt hp vi DHCP cp cc dch v ny. Xem li phn DHCP hc phn trn. Ghi ch: ICS l dch v chia s c sn trn Windows tuy nhin n ch thch hp vi vic chia s kt ni khong 10 15 PC v khng c nhiu tnh nng nh NAT nn cc bn c th tham kho thm v dch v ny. Ghi ch: NAT vn cho php my tnh truy xut mt Server bn trong mng ni b, bng cch cu hnh Port Forwarding. VPN (Virtual Private Network). Do nhu cu cng vic, mi cng ty u c cc chi nhnh, cc i tc v m bo cc thng tin truyn ti mt cch hiu qu v an ton trn mi trng Internet - mt mi trng khng an ton v khng thun tin cho vic trao i cc thng tin. Do , mng VPN (Virtual Private Network) ra i nhm gii quyt cc vn : Trao i v truyn ti cc thng tin an ton gia cc chi nhnh bng phng thc to ra mt knh truyn ring bit gia cc chi nhnh c gi l Tunnel. Cung cp hnh thc m ha d liu trc khi truyn v pha bn nhn s gii m s dng. Cung cp phng thc xc thc tnh ton vn d liu bng thut ton bm (Hash key) m bo d liu khng thay i so vi ban u. VPN thng c cc dng sau: Remote Access VPN: c s dng cho php ngi dng nh c th kt ni ti cng ty lm vic ng thi m bo c thng tin truyn ti trn mng l t b mt mt.

 Site to Site VPN: c s dng kt ni 2 chi nhnh, kt ni vi cc partner; m bo d liu truyn gia cc VPN l an ton.

User to User VPN.

Trong chng trnh hc, chng ta ch s dng dng Remote Access VPN v Site to Site VPN. Phng thc (Protocol) s dng truyn ti VPN thng l: PPTP L2TP IPSec

Cc iu kin c th thc hin c kt ni VPN l: 9 Mt h thng mng public nh Internet, Wireless, LAN

9 Mt VPN Server cung cp cc dch v chng thc ngi s dng ng thi cung cp mt a ch IP hot ng. 9 Ngi s dng phi c php s dng dch v VPN quay s trong Active Directory Users and Computers. Cc bc ci t kt ni VPN trn my ngi s dng. 1. Trn my Server, m tnh nng VPN c trong dch v Routing and Remote Access Start --- Programs --- Administrative Tools --- Routing and Remote Access Enable tnh nng Routing and Remote Access (nu cha kch hot). Chn Custom Configuration

Chn tnh nng VPN

n Finish hon tt.

2.

Cu hnh chng thc User trn VPN Trong ca s Routing and Remote Access chn Properties ca kt ni mi ci Chn Tab Security

t.

 Chn mc Authentication provider v Accounting provider Authentication (tc l chng thc bng ti khon Users c trong AD). Chn mc IP thit lp a ch IP cho ngi dng.

Windows

3.

To User v cho php Users kt ni vi VPN Serer To User trn Active Directory, trong trng hp ny l user vpn

Vo Properties ca User chnh li Remote Access Permission (Dial up or VPN) l Allow.

4.

Trn my Client to kt ni VPN. To thm mt kt ni mi cho my Client.

Chn dng kt ni l VPN.

G tn hoc a ch IP ca my VPN Server.

Hon tt kt ni v a ra ngoi Desktop.

5.

Th kt ni vi VPN bng cch nhp user v password vo kt ni.

Ch : khi thc hin kt ni bng hnh thc PPTP ny trn thc t, Modem/Router ADSL phi m port 1723 c th kt ni c. Xem chi thit thng tin cu hnh Port Forwarding trn cc ti liu hng dn km theo Modem/Router ADSL. Cu hnh VPN h tr tnh nng xc thc bng RADIUS.

Cc bc cu hnh VPN + RADIUS: Cu hnh VPN Server + RADIUS Client Cu hnh RADIUS Server trn Domain Controller. Kim tra li kt ni.

1. Cu hnh VPN Server vi tnh nng xc thc bng RADIUS: (VPN Servr RADIUS Clients) Cu hnh VPN Server tng t nh ca PPTP ch khc bit l khai bo s dng phng thc Authentiacation provider v Accounting provider l RADIUS (xem hnh). Tip theo chn Configure ch VPN Server.

Chn phn Configure v b sung Server RADIUS vo (thng thng RADIUS Server c ci ngay trn AD). 2. Ci t dch v chng thc Internet Authentication Service trn Domain Controller:

Trn my Domain Controller ci t thm dch v Internet Authentication Service h tr chng thc RADIUS. Bng cch vo Start --- Setting --- Control Pannel --Add or Remove Program --- Add Windows Components --- Network Services --- Internet Authentication Services (IAS)

Cu hnh RADIUS Server.

Vo IAS va ci t, to v ng k VPN Server vi Active Directory.

Ch nh tn ca VPN Server v a ch IP ca my tnh.

Chn kha key cn kt ni vi RADIUS Server.

ng k dch v vi Active Directory.

3.

To Users c quyn hn kt ni VPN h tr RADIUS.

To User trn Active Directory cn ch : ngoi vic cho php s dng VPN cn phi b sung User vo nhm RAS and IAS Server c chng thc.

Thc hin ci t quay s tng t nh bi tp trn. Tng kt:

Phng thc kt ni WAN Internet. 9 Hin nay, cc kt ni ra ngoi Internet a phn u s dng dch v WAN l ADSL. Bn cnh ADSL cn c nhng kiu thu bao khc nh Leased Line, Frame Relay v nhng ng dng trn cc thu bao WAN ngy cng c s dng nhiu nh Frame Relay vi cng ngh VPN MPLS, ADSL vi cc dch v MegaWAN. Chia s Internet c th thc hin bng cc dch v c sn trong Windows hoc s dng phn mm ca hng th ba nh: 9 9 9 S dng dch v ICS (Internet Connecting Sharing) ca Windows S dng dch v NAT trong Windows Server S dng phn mm nh Winroute.

VPN (Virtual Private Network) 9 Trao i v truyn ti cc thng tin an ton gia cc chi nhnh bng phng thc to ra mt knh truyn ring bit gia cc chi nhnh c gi l Tunnel. 9 Cung cp hnh thc m ha d liu trc khi truyn v pha bn nhn s gii m s dng.

9 Cung cp phng thc xc thc tnh ton vn d liu bng thut ton bm (Hash key) m bo d liu khng thay i so vi ban u. 9 Remote Access VPN: c s dng cho php ngi dng nh c th kt ni ti cng ty lm vic ng thi m bo c thng tin truyn ti trn mng l t b mt mt. Phng thc (Protocol) s dng truyn ti VPN thng l: 9 PPTP L2TP IPSec Mt h thng mng public nh Internet, Wireless, LAN

Cc iu kin c th thc hin c kt ni VPN l: 9 Mt VPN Server cung cp cc dch v chng thc ngi s dng ng thi cung cp mt a ch IP hot ng. 9 Ngi s dng phi c php s dng dch v VPN quay s trong Active Directory Users and Computers.